CN113721904A - Network policy verification system and method - Google Patents
Network policy verification system and methodDownload PDFInfo
- Publication number
- CN113721904A CN113721904ACN202110925006.XACN202110925006ACN113721904ACN 113721904 ACN113721904 ACN 113721904ACN 202110925006 ACN202110925006 ACN 202110925006ACN 113721904 ACN113721904 ACN 113721904A
- Authority
- CN
- China
- Prior art keywords
- network
- expression
- policy
- strategy
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/30—Creation or generation of source code
- G06F8/35—Creation or generation of source code model driven
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/30—Creation or generation of source code
- G06F8/36—Software reuse
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/70—Software maintenance or management
- G06F8/71—Version control; Configuration management
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Translated fromChinese
Description
Technical Field
The invention relates to the technical field of network policy verification, in particular to a network policy verification system and a network policy verification method.
Background
The traditional network policy verification technology is used for modeling and designing a certain network, reading the configuration of a router and a switch of a specific manufacturer, analyzing a network policy based on a certain specific verification algorithm, such as a graph algorithm or theorem certification, and traversing the state space of network behaviors. Limited by specific constraints of multiple aspects of policy verification technology, network operation and maintenance personnel generally cannot directly apply the original policy verification tool to the operated and maintained network. In addition, in the face of various complex network verification tools, operation and maintenance personnel cannot select a proper scheme from the next analysis.
The traditional network policy verification tool is limited by a programming mode, cannot realize coverage of various network devices and network constraints, and has the following defects:
(1) the function definition is unclear, and it is difficult to select a network policy checking tool with sufficient functions and good performance for a specific network and a specific problem.
(2) The input formats are not uniform, and when different network policy verification tools are used for verifying the same network, the input formats need to be adapted for each verification tool, so that the workload of a network administrator is greatly increased.
(3) The code reuse rate is low, and the phenomenon of repeated development is very common. Because the module division of the existing network policy checking tool is not clear, developers often choose to re-develop irrelevant modules such as a network policy analysis module when designing a new network checking algorithm, which brings labor waste and slows down technical iteration speed.
Disclosure of Invention
The embodiment of the invention provides a network policy checking system and a network policy checking method, which are used for solving the problem that part or all of the network policy checking is carried out at present.
In a first aspect, an embodiment of the present invention provides a network policy checking system, including an input end, a network policy checking unit, and an output end;
the input end is used for inputting network topology, network strategies and constraints to be verified;
the network policy verification unit is used for receiving the network topology, the network policy and the constraint to be verified, and outputting a network verification result based on the acquired configuration file of the network equipment;
the output end is used for outputting constraint satisfaction information, error positioning information and/or error repair suggestions.
Preferably, the network policy checking unit comprises an input parsing module, a packet header expression module, a policy expression module, an operation behavior expression module and a constraint checking module;
the input analysis module is used for obtaining a standardized network strategy expression based on the acquired configuration file of the network equipment;
the packet header expression module is used for storing and expressing and recording a data structure of the packet header;
the strategy expression module is used for receiving the standardized network strategy expression, constructing a strategy set by expressing and recording the classes of the strategies and executing a preprocessing function on the strategy set;
the operation behavior expression module is used for obtaining a strategy application port of an operation behavior description abstract class of the network based on a strategy set for executing the preprocessing function;
and the constraint checking module is used for obtaining a network checking result by calling the strategy application port of the operation behavior description abstract class.
Preferably, the input parsing module is specifically configured to implement parsing classes of configuration files of different network devices through predefined interfaces, convert configurations of network devices of different manufacturers into predefined standardized data structures, format and output the predefined standardized data structures to a file, so as to obtain a standardized network policy expression.
Preferably, the configuration file comprises packet header expression mode configuration, policy granularity configuration and forwarding function configuration;
modifying the static configuration file to adapt to different network verification algorithms to meet the customization of the network policy verification tool, comprising:
configuring the packet header expression mode to enable an abstract class interface of the packet header expression module to realize a new packet header expression class so as to complete the reconstruction of the packet header expression module;
inserting a new preprocessing function into a specified position of the strategy expression module through the strategy granularity configuration so as to complete the preprocessing of the strategy expression module;
and configuring the forwarding function to enable the interface of the abstract class of the operation behavior expression module to realize a new operation behavior expression abstract class.
In a second aspect, an embodiment of the present invention provides a network policy checking method, including:
acquiring network topology, network strategies and constraints to be verified;
obtaining a network verification result based on the network topology, the network policy, the constraint to be verified and the configuration file of the network equipment;
and obtaining constraint satisfaction information, error positioning information and/or error repair suggestions based on the network verification result.
Preferably, the obtaining a network verification result based on the network topology, the network policy, the constraint to be verified, and the configuration file of the network device includes:
obtaining a standardized network policy expression based on the obtained configuration file of the network equipment;
receiving the standardized network strategy expression, constructing a strategy set by expressing and recording the class of the strategy based on a data structure of a storage expression and record packet header, and executing a preprocessing function on the strategy set;
obtaining a policy application port of an operation behavior description abstract class of the network based on a policy set for executing a preprocessing function;
and obtaining a network verification result by calling the strategy application port of the operation behavior description abstract class.
Preferably, the obtaining a standardized network policy expression based on the obtained configuration file of the network device includes: the method comprises the steps of realizing analysis classes of configuration files of different network devices through a predefined interface, converting the configuration of the network devices of different manufacturers into a predefined standardized data structure and formatting an output file to obtain standardized network policy expression.
Preferably, the configuration file comprises packet header expression mode configuration, policy granularity configuration and forwarding function configuration;
modifying the static configuration file to adapt to different network verification algorithms to meet the customization of the network policy verification tool, comprising:
the configuration of the packet header expression mode enables an abstract interface of a packet header expression module to realize a new packet header expression class so as to complete the reconstruction of the packet header expression module;
inserting a new preprocessing function into a designated position of a strategy expression module through the strategy granularity configuration so as to complete the preprocessing of the strategy expression module;
and configuring the forwarding function to enable the interface of the abstract class of the operation behavior expression module to realize a new operation behavior expression abstract class.
In a third aspect, an embodiment of the present invention provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the steps of the network policy checking method according to any one of the foregoing second aspects when executing the program.
In a fourth aspect, an embodiment of the present invention provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the network policy checking method according to any one of the second aspects.
According to the network policy verification system and method provided by the embodiment of the invention, the network topology, the network policy and the constraint to be verified are input, the network verification result is output based on the acquired configuration file of the network equipment, and the constraint satisfaction information, the error positioning information and/or the error repair suggestion are output based on the network verification result. The invention provides a flexible and customizable universal network policy checking framework for a network administrator, provides reusable codes and interfaces with clear definition for technical developers, and saves the development cost of a network policy checking tool and the technical iteration cost.
Drawings
In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
Fig. 1 is a schematic structural diagram of a network policy checking system provided in the present invention;
fig. 2 is a schematic structural diagram of a network policy checking unit provided in the present invention;
FIG. 3 is a schematic diagram of a network policy verification process provided by the present invention;
FIG. 4 is a schematic diagram of an example network topology provided by the present invention;
FIG. 5 is a flow chart illustrating a network policy checking method according to the present invention;
fig. 6 is a schematic structural diagram of an electronic device provided in the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention aims to reconstruct various network verification algorithms by a modularized program design mode based on the function modularization segmentation of a network strategy verification technology, define a uniform module interface and a data structure, realize a flexible and expandable universal framework of a network strategy verification tool, reduce the use difficulty of the network strategy verification tool and improve the development efficiency of the network strategy verification tool. The modular programming is a programming paradigm, which divides a large program to be finally realized into independent small modules according to functions, defines clear interface functions and data formats among the modules, and completes the expected program functions through the cooperation among the small modules.
The invention provides a set of universal network strategy verification framework, which relates to the function division of a network strategy verification process, the interface design and modeling of a functional module of the network strategy verification, the design of standardized input and output formats of the network strategy verification, the modularized reconstruction of the conventional network strategy verification algorithm and the network strategy verification customization based on a configuration file.
A network policy verification system and method provided by the present invention are described below with reference to fig. 1 to 6.
The embodiment of the invention provides a network policy verification system. Fig. 1 is a schematic structural diagram of a network policy checking system according to an embodiment of the present invention, as shown in fig. 1, the system includes aninput terminal 110, a networkpolicy checking unit 120, and anoutput terminal 130;
theinput end 110 is used for inputting network topology, network policies and constraints to be verified;
specifically, the inputs to the network policy validation framework include the network topology, the network policy, and the constraints to be verified,
1.1 network topology refers to the nodes in a network, such as switches, routers, and hosts, and the manner of connection between ports on these nodes.
1.2 network policy refers to the policy according to which network packets are processed in the network, such as forwarding table, firewall, port mapping, and network protocol.
1.3 the constraint to be verified refers to the description of the network behavior that the network operation and maintenance personnel want to check, such as whether there is a reachable network packet between two ports in the network, whether there is a loop in the network, and whether there is a black hole in the network.
The networkpolicy checking unit 120 is configured to receive the network topology, the network policy, and the constraint to be verified, and output a network checking result based on the obtained configuration file of the network device;
theoutput 130 is configured to output constraint satisfaction information, error localization information, and/or error repair suggestions.
In particular, the output of the network policy validation framework includes constraint satisfaction information, error location information, and/or error repair recommendations.
2.1 the constraint satisfies information indicating and constraint related information, such as a network packet which can be reached between two points and a device and a port which pass through the network packet from one point to another point, a network packet which causes circulation in the network and a device and a port which form circulation, a device and a port which are located in a black hole in the network and a network packet which starts the black hole.
2.2 the error location information refers to which network policy is output in case the constraint is not satisfied, resulting in the network behavior not satisfying the constraint.
2.3 the error repair proposal refers to outputting a network policy modification scheme that causes the network behavior to satisfy the constraints in the event that the constraints are not satisfied.
The system provided by the embodiment of the invention is based on modular program design, and is used for enabling network operation and maintenance personnel to check different network equipment, network strategies and network constraints, realizing free combination of the same functional modules based on different principles by carrying out combined modeling on the functional module sequences in the network checking process, enabling the network operation and maintenance personnel to customize a network checking tool with functions and performances meeting requirements, accelerating the development process of the network checking tool through code multiplexing and standardized interfaces, and reducing the technical iteration cost.
Based on any of the above embodiments, as shown in fig. 2, the network policy checking unit includes aninput parsing module 210, a packetheader expression module 220, apolicy expression module 230, an operationbehavior expression module 240, and aconstraint checking module 250;
specifically, the network policy checking framework is based on the function modularization splitting, and through the analysis of a large number of existing network policy checking tools, the network policy checking framework splits the checking unit into an input analysis module, a packet header expression module, a policy expression module, an operation behavior expression module and a constraint checking module.
Theinput analysis module 210 is configured to obtain a standardized network policy expression based on the obtained configuration file of the network device;
specifically, the input of the input analysis module is a configuration file in the network device, the output is a standardized network policy expression, the expression mode can be directly used as the input of the subsequent module or written into a file, and the specific expression mode is as follows:
policy type $ input port $ policy information $ output port
The policy types include fwd (forwarding policy), rewrite (header rewrite policy), link (physical connection), protocol (specific protocol), etc., and the policy information is used to store information specific to each policy, for example, for the physical connection policy, the field is empty; for the forwarding policy, the field is the header information of the packet matched with the forwarding policy.
The packetheader expression module 220 is configured to store a data structure for expressing and recording a packet header;
in particular, the packet header expression module includes an abstract class and a series of implementations thereof, which provides data structures, such as bit arrays, binary trees, etc., that can express and record the packet header. The class provides interfaces for packet header space calculation, such as packet header space intersection operation, packet header space subtraction operation and the like, and other classes are called.
Thepolicy expression module 230 is configured to receive the standardized network policy expression, construct a policy set from classes of expression and record policies, and execute a preprocessing function on the policy set;
in particular, the policy expression module contains a class for expressing and recording policies and a series of functions for preprocessing the set of policies. The policy class is used for recording network policies analyzed by the input analysis module, and the function for processing the policies preprocesses the policy sets of the whole network from the perspective of the whole policies, for example, processing the policy sets with priorities and mutual coverage into the policy sets without coverage. The strategy set output by the preprocessing function can be further processed by other preprocessing functions or can be directly used as the input of a subsequent module.
The operationbehavior expression module 240 is configured to obtain a policy application port of an operation behavior description abstraction class of the network based on a policy set for executing the preprocessing function;
specifically, the operation behavior expression module comprises an abstract class and a series of implementations thereof, the input of the class is a strategy set output by the strategy expression module, the output is an operation behavior description abstract class of the network, the operation behavior description class provides an interface for applying the strategy to the network packet, and the bottom layer of the interface is implemented with a graph algorithm, a theorem prover and the like, which are called by other classes.
Theconstraint checking module 250 is configured to obtain a network checking result by calling a policy application port of the operation behavior description abstraction class.
Specifically, the input of the constraint checking module is an operation behavior description abstract class, the constraint checking module calls a policy application port of the operation behavior description abstract class to check concrete constraints such as accessibility between two points and cyclic existence in a network, and the output of the module is a human-readable network checking result.
Based on any of the above embodiments, the input parsing module is specifically configured to implement parsing classes of configuration files of different network devices through predefined interfaces, convert configurations of network devices of different manufacturers into predefined standardized data structures, format and output the predefined standardized data structures to a file, so as to obtain a standardized network policy expression.
Specifically, the abstract class implementation of the network policy checking framework adopts the factory class design concept that a common static class is used to output the specified concrete class according to the configuration file. The flow in the code is as follows:
3.1 implementing various implementation classes according to predefined abstract classes, and compiling the implementation classes whether used or not;
3.2 defining a factory class, and implementing a static instance generation function in the factory class, wherein a return class of the instance generation function is an abstract class, the factory class reads a configuration file, and the implementation of which abstract class is specifically returned is determined according to the content of the configuration file;
3.3 when other implementation classes corresponding to the abstract class are used in the program, the construction function of the implementation class is not directly used, but the example generation function of the factory class is called.
Through the design concept, the switching of different functional modules can be realized only by modifying the configuration file without recompiling the program.
Based on any of the above embodiments, the configuration file includes a packet header expression mode configuration, a policy granularity configuration, and a forwarding function configuration;
modifying the static configuration file to adapt to different network verification algorithms to meet the customization of the network policy verification tool, comprising:
configuring the packet header expression mode to enable an abstract class interface of the packet header expression module to realize a new packet header expression class so as to complete the reconstruction of the packet header expression module;
inserting a new preprocessing function into a specified position of the strategy expression module through the strategy granularity configuration so as to complete the preprocessing of the strategy expression module;
and configuring the forwarding function to enable the interface of the abstract class of the operation behavior expression module to realize a new operation behavior expression abstract class.
In particular, the flexibility of the network policy checking framework is realized through a configuration file, which is embodied in the following aspects:
4.1 unified input format. Developers can verify the network formed by the new network equipment by writing a script which converts the configuration of the network equipment into a predefined standard format, and try different network verification algorithms by modifying the configuration file without performing input format adaptation for each network verification tool.
4.2 reconstructing the packet header expression module. Developers can test the influence of the packet header expression and the packet header space calculation of various different underlying data structures on the function and performance of network strategy verification only by realizing a new packet header expression class according to the interface of the packet header expression module abstract class.
4.3 strategy expression module pretreatment. Developers only need to design a new strategy expression module preprocessing algorithm and insert the new strategy expression module preprocessing algorithm into a proper position of the strategy expression module, and then the influences of strategy sets with different granularities on the functions and performances of network strategy verification can be tested after different preprocessing processes.
4.4 reconstruction of the operation behavior expression module. Developers can test the influence of various different network forwarding modeling algorithms on the function and performance of network policy verification only by realizing a new operation behavior expression class according to the interface of the abstract class of the operation behavior expression module.
4.5 constrain the scalability of the check module. A developer can develop a new constraint checking function and check new network constraints only by using an interface for expressing abstract classes by operation behaviors.
Through the network strategy verification framework, customization and agile development of a network strategy verification tool can be realized. Through the above-mentioned factory classes and configuration files, a network administrator can customize a network policy verification tool whose function and performance meet the requirements by modifying the static configuration files. When the existing functional module can not meet the requirement of a network administrator on the verification of the network strategy, a developer of the network strategy verification tool can realize the function expansion of the network verification tool through the module reconstruction and the module expansion in 4.1-4.5 and through the development of a single module with definite interface, and does not need to redesign a new network verification tool, thereby realizing a demand-driven agile development mode.
To better illustrate the network policy verification system, specific applications are as follows:
the specific implementation of the present invention is further described in detail with reference to the network policy checking flow of fig. 3, the example topology of fig. 4, the network data plane forwarding policy checking example, and the policy checking tool development example. It can be seen from the network policy verification process in fig. 3 that the network policy and the network topology are used as input of the verification framework, the packet header expression 1-n is selected through the packet header expression configuration to realize the policy set corresponding to the packet header expression, the preprocessing functions 1-n are selected through the policy granularity configuration to execute the preprocessing on the policy set to obtain a new policy set, the forwarding functions 1-n are selected through the forwarding function configuration to execute the forwarding processing on the new policy set, the network verification indexes including reachability, cycle detection, black hole detection, multipath detection and K-failure detection are output, and whether the network requirements are met under the current configuration is judged according to the indexes. The example topology and example data plane partial forwarding strategy of fig. 4 may be applied in cloud data centers, operator networks, and enterprise networks.
Fig. 4 contains 3 terminals H1-H3 and 2 forwarding devices SW1-SW2, and only considers the last 3 bits of IP part for the purpose of distinguishing forwarding ports, and the part of the forwarding policy in the network is wired as shown in fig. 4 and expressed in a standard input format. At this time, the configuration file of the frame is set as a packet header expression mode as HS, the strategy granularity is a covered strategy set containing priority, and the forwarding function is a forward static forwarding model. The network constraint to be checked is chosen to be reachability fromport 101 toport 112.
1. The program reads the input file and since HS is selected as the underlying data plane for packet header expression, the policy set is expressed as a data structure.
2. Because the covered strategy set with priority is selected as the strategy granularity option, the strategy set is not processed and is directly input to the forwarding function.
3. The selected forward static forwarding model is used as a forwarding function to check the selected reachability constraint, and a key value pair (xxx,101) with the format of (packet header, port number) is initialized, wherein each of three bits of the xxx expression packet header can be 0 or 1,101 expression that the packet is currently located at theport 101. Applying a forward policy of an ingress port including 101 to the packet to obtain a key value pair array [ (0xx,103), (1xx,102) ] after a first round of application forward iteration; and applying a link strategy of which the input port comprises the port number to the key value pair array in decibels to obtain the key value pair array [ (0xx,111) ] after the first round of applying the link strategy iteration. Applying a forward strategy with an input port containing 111 to the key-value pair array to obtain a key-value pair array [ (01x,112) ] after a second round of application forward iteration, wherein the key-value pair is positioned at adestination port 112, and recording the key-value pair and the propagation history thereof; and applying a link strategy contained in theport 112 to the key-value pair array to obtain the key-value pair array after the second round of applying the link strategy iteration. The array is empty and the iteration ends. All recorded paths [01x, (101,102,111,112) ].
If the configuration file of the framework is modified to have a packet header expression mode of BDD, the policy granularity is a policy set which is not covered with each other, and the forwarding function is an SMT solver, the reachability checking process for theports 101 to 112 is as follows:
1. the program reads the input file and since the BDD is selected as the underlying data plane for packet header expression, the policy set is expressed as a data structure.
2. Because the policy sets not covered by each other are selected as the policy set granularity options, the policy sets are processed into the policy sets not covered by each other.
3. And checking the selected reachability constraint by using the selected SMT solver as a forwarding function, establishing two Z3 variables for each port to respectively express whether the packet is out of the port and arrives at the port, wherein the variable types are Boolean types, converting the strategy set into the SMT constraint, solving the modified constraint by using the SMT solver, and sending the modified constraint from the 101 port to the 112 port when pkt is 010. However, such a coding scheme of the SMT solver cannot find all reachable packet header spaces, such as 011 herein, and furthermore, cannot obtain the port order through which the path passes.
Regarding the expandability of the framework, adding a new module to the framework requires the following steps:
1. and initializing the function of the entity class according to the interface class corresponding to the module to be realized. If a new packet header expression module is to be added, the following entity classes are newly created:
2. new algorithms are used to implement functions in entity classes, such as:
3. registering the entity class in a factory class
And then, the network policy can be verified by modifying the configuration file and using the functional module realized by the new algorithm.
The network policy verification method provided by the present invention is described below, and the network policy verification system described below and the network policy verification system described above may be referred to correspondingly.
Fig. 5 is a schematic flowchart of a network policy checking method according to an embodiment of the present invention, and as shown in fig. 5, the method includes:
The method provided by the embodiment of the invention is based on modular program design, and is used for enabling network operation and maintenance personnel to check different network equipment, network strategies and network constraints, realizing free combination of the same functional modules based on different principles by carrying out combined modeling on the functional module sequences in the network checking process, enabling the network operation and maintenance personnel to customize a network checking tool with functions and performances meeting requirements, accelerating the development process of the network checking tool through code multiplexing and standardized interfaces, and reducing the technical iteration cost.
Based on any of the above embodiments, the obtaining a network verification result based on the network topology, the network policy, the constraint to be verified, and the configuration file of the network device includes:
obtaining a standardized network policy expression based on the obtained configuration file of the network equipment;
receiving the standardized network strategy expression, constructing a strategy set by expressing and recording the class of the strategy based on a data structure of a storage expression and record packet header, and executing a preprocessing function on the strategy set;
obtaining a policy application port of an operation behavior description abstract class of the network based on a policy set for executing a preprocessing function;
and obtaining a network verification result by calling the strategy application port of the operation behavior description abstract class.
Based on any of the above embodiments, the obtaining a standardized network policy expression based on the obtained configuration file of the network device includes: the method comprises the steps of realizing analysis classes of configuration files of different network devices through a predefined interface, converting the configuration of the network devices of different manufacturers into a predefined standardized data structure and formatting an output file to obtain standardized network policy expression.
Based on any of the above embodiments, the configuration file includes a packet header expression mode configuration, a policy granularity configuration, and a forwarding function configuration;
modifying the static configuration file to adapt to different network verification algorithms to meet the customization of the network policy verification tool, comprising:
the configuration of the packet header expression mode enables an abstract interface of a packet header expression module to realize a new packet header expression class so as to complete the reconstruction of the packet header expression module;
inserting a new preprocessing function into a designated position of a strategy expression module through the strategy granularity configuration so as to complete the preprocessing of the strategy expression module;
and configuring the forwarding function to enable the interface of the abstract class of the operation behavior expression module to realize a new operation behavior expression abstract class.
In summary, the key points of the present invention are:
1) and (4) performing functional module segmentation on the network policy verification process to realize a universal policy verification framework.
2) And defining interfaces of all functional modules in a modular programming mode, and performing modular reconstruction on the network policy checking tools with different principles.
3) Standardized network policy input formats simplify the process of extending supported devices.
4) The network packet header expression abstract class and the operation behavior expression abstract class unify different bottom layer packet header expression data structures and models of a graph algorithm, theorem proof, static forwarding and the like with larger bottom layer implementation principle difference into a set of interfaces.
5) The difference of different network strategy set expression modes is shown in a preprocessing function form, and a scalable preprocessing function sequence is designed.
6) The functional constraint checking module can realize multiple bottom layers of single network constraint checking in batches through the interface of the operation behavior expression abstract class.
7) Factory class design of abstract classes, and 5) preprocessing function sequences in the system work together to realize combination of each basic function module by modifying static configuration files.
The invention realizes an expandable and customizable general network strategy verification framework, which comprises the following steps:
(1) and expanding and customizing a network policy checking tool according to the function and performance requirements of the given network policy checking task.
(2) The input format of the network policy checking tool is unified, the existing network checking tool can be conveniently accessed to an actual network formed by new equipment, and the expansibility of the network policy checking tool is improved.
(3) The code reuse rate of the network strategy checking tool is improved through modular programming, the development workload of a new algorithm is reduced, and the technical iteration period is shortened.
(4) The method can be used for carrying out performance test on various existing network strategy verification tools by a variable control method, and finding out a network model and a verification algorithm with the best performance in a specific scene.
Fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present invention, and as shown in fig. 6, the electronic device may include: a processor (processor)610, a communication Interface (Communications Interface)620, a memory (memory)630 and acommunication bus 640, wherein theprocessor 610, thecommunication Interface 620 and thememory 630 communicate with each other via thecommunication bus 640. Theprocessor 610 may invoke logic instructions in thememory 630 to perform a network policy check method comprising: acquiring network topology, network strategies and constraints to be verified; obtaining a network verification result based on the network topology, the network policy, the constraint to be verified and the configuration file of the network equipment; and obtaining constraint satisfaction information, error positioning information and/or error repair suggestions based on the network verification result.
In addition, the logic instructions in thememory 630 may be implemented in software functional units and stored in a computer readable storage medium when the logic instructions are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In another aspect, an embodiment of the present invention further provides a computer program product, where the computer program product includes a computer program stored on a non-transitory computer-readable storage medium, the computer program includes program instructions, and when the program instructions are executed by a computer, the computer can execute the network policy checking method provided by each of the above methods, where the method includes: acquiring network topology, network strategies and constraints to be verified; obtaining a network verification result based on the network topology, the network policy, the constraint to be verified and the configuration file of the network equipment; and obtaining constraint satisfaction information, error positioning information and/or error repair suggestions based on the network verification result.
In yet another aspect, an embodiment of the present invention further provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program is implemented by a processor to perform the network policy checking method provided in the foregoing, and the method includes: acquiring network topology, network strategies and constraints to be verified; obtaining a network verification result based on the network topology, the network policy, the constraint to be verified and the configuration file of the network equipment; and obtaining constraint satisfaction information, error positioning information and/or error repair suggestions based on the network verification result.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A network strategy checking system is characterized by comprising an input end, a network strategy checking unit and an output end;
the input end is used for inputting network topology, network strategies and constraints to be verified;
the network policy verification unit is used for receiving the network topology, the network policy and the constraint to be verified, and outputting a network verification result based on the acquired configuration file of the network equipment;
the output end is used for outputting constraint satisfaction information, error positioning information and/or error repair suggestions.
2. The network policy verification system according to claim 1, wherein the network policy verification unit comprises an input parsing module, a packet header expression module, a policy expression module, an operation behavior expression module and a constraint verification module;
the input analysis module is used for obtaining a standardized network strategy expression based on the acquired configuration file of the network equipment;
the packet header expression module is used for storing and expressing and recording a data structure of the packet header;
the strategy expression module is used for receiving the standardized network strategy expression, constructing a strategy set by expressing and recording the classes of the strategies and executing a preprocessing function on the strategy set;
the operation behavior expression module is used for obtaining a strategy application port of an operation behavior description abstract class of the network based on a strategy set for executing the preprocessing function;
and the constraint checking module is used for obtaining a network checking result by calling the strategy application port of the operation behavior description abstract class.
3. The system according to claim 2, wherein the input parsing module is specifically configured to implement parsing classes of configuration files of different network devices through predefined interfaces, and convert configurations of network devices of different manufacturers into predefined standardized data structures and format output files to obtain standardized network policy expressions.
4. The network policy validation system of claim 3, wherein the configuration file comprises a packet header expression pattern configuration, a policy granularity configuration, and a forwarding function configuration;
modifying the static configuration file to adapt to different network verification algorithms to meet the customization of the network policy verification tool, comprising:
configuring the packet header expression mode to enable an abstract class interface of the packet header expression module to realize a new packet header expression class so as to complete the reconstruction of the packet header expression module;
inserting a new preprocessing function into a specified position of the strategy expression module through the strategy granularity configuration so as to complete the preprocessing of the strategy expression module;
and configuring the forwarding function to enable the interface of the abstract class of the operation behavior expression module to realize a new operation behavior expression abstract class.
5. A network policy verification method is characterized by comprising the following steps:
acquiring network topology, network strategies and constraints to be verified;
obtaining a network verification result based on the network topology, the network policy, the constraint to be verified and the configuration file of the network equipment;
and obtaining constraint satisfaction information, error positioning information and/or error repair suggestions based on the network verification result.
6. The method according to claim 5, wherein obtaining a network verification result based on the network topology, the network policy, the constraint to be verified, and the configuration file of the network device comprises:
obtaining a standardized network policy expression based on the obtained configuration file of the network equipment;
receiving the standardized network strategy expression, constructing a strategy set by expressing and recording the class of the strategy based on a data structure of a storage expression and record packet header, and executing a preprocessing function on the strategy set;
obtaining a policy application port of an operation behavior description abstract class of the network based on a policy set for executing a preprocessing function;
and obtaining a network verification result by calling the strategy application port of the operation behavior description abstract class.
7. The method of claim 6, wherein obtaining a standardized network policy expression based on the obtained configuration file of the network device comprises: the method comprises the steps of realizing analysis classes of configuration files of different network devices through a predefined interface, converting the configuration of the network devices of different manufacturers into a predefined standardized data structure and formatting an output file to obtain standardized network policy expression.
8. The network policy verification method according to claim 7, wherein the configuration file comprises packet header expression mode configuration, policy granularity configuration and forwarding function configuration;
modifying the static configuration file to adapt to different network verification algorithms to meet the customization of the network policy verification tool, comprising:
the configuration of the packet header expression mode enables an abstract interface of a packet header expression module to realize a new packet header expression class so as to complete the reconstruction of the packet header expression module;
inserting a new preprocessing function into a designated position of a strategy expression module through the strategy granularity configuration so as to complete the preprocessing of the strategy expression module;
and configuring the forwarding function to enable the interface of the abstract class of the operation behavior expression module to realize a new operation behavior expression abstract class.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the steps of the network policy checking method according to any of claims 5 to 8 are implemented when the program is executed by the processor.
10. A non-transitory computer readable storage medium, having stored thereon a computer program, wherein the computer program, when executed by a processor, implements the steps of the network policy verification method according to any one of claims 5 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110925006.XACN113721904B (en) | 2021-08-12 | 2021-08-12 | A network policy verification system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110925006.XACN113721904B (en) | 2021-08-12 | 2021-08-12 | A network policy verification system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113721904Atrue CN113721904A (en) | 2021-11-30 |
| CN113721904B CN113721904B (en) | 2024-12-10 |
Family
ID=78675686
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110925006.XAActiveCN113721904B (en) | 2021-08-12 | 2021-08-12 | A network policy verification system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113721904B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20200019381A1 (en)* | 2018-07-12 | 2020-01-16 | AT&T lntellectual Property I, L.P. | Optimization application |
| CN111034123A (en)* | 2017-06-19 | 2020-04-17 | 思科技术公司 | Authentication of layer1 interfaces in a network |
| CN111431732A (en)* | 2020-02-11 | 2020-07-17 | 西安交通大学 | A method and system for incremental verification of computer network data plane |
| CN111628962A (en)* | 2020-03-30 | 2020-09-04 | 西安交大捷普网络科技有限公司 | Policy centralized configuration system and method for network security equipment |
| CN112532517A (en)* | 2020-11-05 | 2021-03-19 | 东北大学 | OSPF protocol configuration comprehensive scheme based on domain specific language |
| CN112636958A (en)* | 2020-12-12 | 2021-04-09 | 东北大学 | Policy autoverification techniques in intent-driven networks |
- 2021
- 2021-08-12CNCN202110925006.XApatent/CN113721904B/enactiveActive
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111034123A (en)* | 2017-06-19 | 2020-04-17 | 思科技术公司 | Authentication of layer1 interfaces in a network |
| US20200019381A1 (en)* | 2018-07-12 | 2020-01-16 | AT&T lntellectual Property I, L.P. | Optimization application |
| CN111431732A (en)* | 2020-02-11 | 2020-07-17 | 西安交通大学 | A method and system for incremental verification of computer network data plane |
| CN111628962A (en)* | 2020-03-30 | 2020-09-04 | 西安交大捷普网络科技有限公司 | Policy centralized configuration system and method for network security equipment |
| CN112532517A (en)* | 2020-11-05 | 2021-03-19 | 东北大学 | OSPF protocol configuration comprehensive scheme based on domain specific language |
| CN112636958A (en)* | 2020-12-12 | 2021-04-09 | 东北大学 | Policy autoverification techniques in intent-driven networks |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113721904B (en) | 2024-12-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109802852B (en) | Method and system for constructing network simulation topology applied to network target range | |
| US20210365253A1 (en) | Heterogeneity-agnostic and topology-agnostic data plane programming | |
| CN114356787B (en) | Automatic testing method and device for deep learning model compiler and storage medium | |
| Sidhu et al. | Experience with formal methods in protocol development | |
| US10310962B2 (en) | Infrastructure rule generation | |
| CN115904852A (en) | Automatic test method, equipment and medium for data processor | |
| Aykurt et al. | NetLLMBench: A Benchmark Framework for Large Language Models in Network Configuration Tasks | |
| CN119271581A (en) | Automatic bus data interface simulation method, system, device and storage medium | |
| CN117369521B (en) | Method, device and equipment for generating behavior tree model path for unmanned aerial vehicle decision | |
| CN113721904A (en) | Network policy verification system and method | |
| Simonsen et al. | Generating protocol software from cpn models annotated with pragmatics | |
| Zhu et al. | Using category theory to verify implementation against design in concurrent systems | |
| Akarte et al. | Packet processing and data plane program verification: A survey with tools, techniques, and challenges | |
| US8885636B2 (en) | Method and system for platform-independent VoIP dial plan design, validation, and deployment | |
| Yao et al. | Testing black-box sdn applications with formal behavior models | |
| CN104579837A (en) | Method and system for performing conformance testing on OpenFlow protocols | |
| CN114338409A (en) | Method for verifying an Ethernet configuration of an automation system | |
| CN119473223B (en) | Parameter tree design method, device, electronic device and storage medium | |
| Tkachova et al. | Method for OpenFlow protocol verification | |
| Steffen et al. | A novel interface between the linux kernel and ns-3 for assessing target software in wlan-systems | |
| CN117369795B (en) | Behavior tree model reachability analysis method and device for drone decision-making | |
| CN117591104B (en) | Model generation method and device, electronic equipment and storage medium | |
| CN116614375B (en) | Configuration form verification method and system for computer network | |
| CN113315647B (en) | Network simulation method and device | |
| Mann | Finite State Machines in Network Software |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right | Effective date of registration:20250729 Address after:100083 No.8 Zhongguancun East Road, Haidian District, Beijing, Dongsheng Building AB Block, 9th Floor, Unit 903B, 905A Patentee after:Beijing Jiliu Technology Co.,Ltd. Country or region after:China Address before:Tsinghua University, 30 Shuangqing Road, Haidian District, Beijing 100084 Patentee before:TSINGHUA University Country or region before:China |